Soma, just to add further to my clarification.

We have 2 Plants, X100 & Y100. So for an Engineer, if we need to give him access to MM02 (for ex.) my client has setup 2 different Roles & 2 Profiles for each Roles.

The reason why they seperate is becos some group of users may not need to have access to MM02 under plant Y100.

Becos of the above reason, I can find a lot of roles & profiles.

There are 17 dept's totally. I wish to know how I can align & reduce the roles & profiles.

Can I say that I can create 1 Role & 1 Profile for each dept & add the transaction codes to this role.

But if I do this way, say in the same dept if another person need NOT have access to all transaction code under this Role, how do I seperate him or her.

Pls suggest a best method.

Thanks,

Ann

You would typically set up an imparting role containing all of the transactions, and then derived roles from that imparting role that contain the organisational level splits.

This ensures consistency across the organisation, and reduced maintenance.

Justin, thanks for your reply.

Could you explain in detail how to create imparting role & derived roles.

I am not a basis consult so I do not have idea about it ...

my client is eager to know ....

Regards,

Ann

Hi Ann,

Can you let me know what the version of R/3 is?

I will explain the concept of Generic and Derived role.

A Generic (or some call as Parent role) will have all T-Codes and organization levels (Plant, Shipping point, Purchasing Organization, Purchasing Group... Etc)

When you create a derived role (child role) you will all the T-Codes and authorization values same as parent. <b>Except Organization levels</b>.

To Make you more clear I will explain with example:

You have 2 plants X100 and Y100 and 2 Administrators (you want assign same authorization for both administrator but restrict with plant (i.e 1st with X100 and 2nd with Y100)

Then you can use the concept of Generic and derived.

In Generic (Parent role) (ex: Parent_role) you can have both values (2 plants)

While in derived role (ex: Derived_role1) (child role) you can restrict with plant X100 (Org Levels)

In 2ndderived role (ex: Derived_role2) (child role) you can restrict with plant Y100 (Org Levels)

By creating 2 derived roles and assign to two users (Administrators 1st and 2nd)

Now both has the same authorization and restricted with Plant

I hope you are clear.

Now I will explain how to create Derived role with restrictions.

When you create new role you will have option in the Description tab.

Transaction inheritance (right side of the tab)

Derive from Role (Enter the Generic (parent) role name here)

By this the role will be the Derived role of the Generic role (parent)

In the authorization tab when you in edit mode/view mode (Display authorization data)

When you want view/change click (Ctrl+F8) or Organizational levels button on the menu

You will be displayed with list of Org values (you can maintain here the values)

I hope you are clear, if you need more info let me know

Cheers

Soma

The only thing I can really add to the above post is that security and controls is really a specialist skill. Security is one of the major internal controls that mitigate business critical risks. It's not something that should be attempted without strong knowledge and experience as you will expose your client to all sorts of critical risks.

Do you have access to a security specialist/architect who can come in and provide some advice on your security strategy?

If you really insist on attempting to develop a security strategy/approach yourself, then I recommend that you familiarise yourself with this section:

<a href="http://help.sap.com/saphelp_erp2005vp/helpdata/en/49/15b93a38f43355e10000000a11402f/frameset.htm">SAP Identity and Access Management</a> It answers your questions and provides further information that you will need to make decisions on how to split your organisational authorisations.

Ann,

you need to have a good knowledge of SAP security.

Please check below link where you can find all of the SAP security guides -

https://websmp104.sap-ag.de/securityguide

Ofcourse, you need an OSS id to get these guides.

If you are using roles for authorization management, forget about profiles. PFCG will take care how many profiles it needs and which auth to which profile. Instead, learn about Single/composite, Parent/Derived roles.

Fro your situation, use derived roles. Define Organisational elements in the parent role and while creating child roles, you just need to define specific org. elements for child role only once. After that, whatever change you make to parent role, it will be copied to child role (except org.elements, they never change.)

Check below link if you do not have OSS access (and also if you have - its very useful)

http://help.sap.com/saphelp_46c/helpdata/en/52/671d66439b11d1896f0000e8322d00/frameset.htm